Title: Vulnerability Report for Ruby Gem gyazo-1.0.0

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108563

CVE:Please Assign

Download: http://rubygems.org/gems/gyazo

Gem Author: masui[at]pitecan.com

Author Contacted:6/25/2014

From: ./gyazo-1.0.0/lib/gyazo/client.rb

If this Gem is used in the context of a rails app a malicious user may inject commands via #{imagefile} and #{tmpfile} using shell meta characters like ; and sending an escaped \".

0through the {imagefile} name if the raw option is not set. Also file names are time based and predictable leading to file clobbering vulnerabilities as the running process username.

 57       unless opts[:raw]
 58         tmpfile = "/tmp/gyazo_upload_{Time.now.to_i}_{Time.now.usec}.png"
 59         if File.exist? imagefile
 60           system "sips -s format png \"{imagefile}\" --out \"#{tmpfile}\" > /dev/null"
 61         end
 62       end

Advisory: http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html